HAL Id: hal-01767337https://hal.inria.fr/hal-01767337

Submitted on 16 Apr 2018

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

Distributed under a Creative Commons Attribution| 4.0 International License

Type Checking Privacy Policies in the π-calculusDimitrios Kouzapas, Anna Philippou

To cite this version:Dimitrios Kouzapas, Anna Philippou. Type Checking Privacy Policies in the π-calculus. 35th Interna-tional Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE),Jun 2015, Grenoble, France. pp.181-195, �10.1007/978-3-319-19195-9_12�. �hal-01767337�

1

Type checking privacy policies in the π-calculus

Dimitrios Kouzapas1 and Anna Philippou2

1 Department of Computing, Imperial College London andDepartment of Computing Science, University of Glasgow

dk208@doc.ic.ac.uk2 Department of Computer Science, University of Cyprus

annap@cs.ucy.ac.cy

Abstract. In this paper we propose a formal framework for studying privacy. Ourframework is based on the π-calculus with groups accompanied by a type systemfor capturing privacy requirements relating to information collection, informationprocessing and information dissemination. The framework incorporates a privacypolicy language. We show that a system respects a privacy policy if the typingof the system is compatible with the policy. We illustrate our methodology viaanalysis of privacy-aware schemes proposed for electronic traffic pricing.

1 Introduction

The notion of privacy is a fundamental notion for society and, as such, it has been an ob-ject of study within various scientific disciplines. Recently, its importance is becomingincreasingly pronounced as the technological advances and the associated widespreadaccessibility of personal information is redefining the very essence of the term privacy.

A study of the diverse types of privacy, their interplay with technology, and theneed for formal methodologies for understanding and protecting privacy is discussed in[19], where the authors follow in their arguments the analysis of David Solove, a legalscholar who has provided a discussion of privacy as a taxonomy of possible privacyviolations [18]. According to Solove, privacy violations can be distinguished in fourcategories: invasions, information collection, information processing, and informationdissemination. Invasion-related privacy violations are violations that occur on the physi-cal sphere of an individual. The authors of [19] concentrate on the latter three categoriesand they identify a model for studying them consisting of the data holder possessinginformation about the data subject and responsible to protect this information againstunauthorized adversaries within the environment.

The motivation of this paper stems from the need of developing formal frameworksfor reasoning about privacy-related concepts. Such frameworks may provide solid foun-dations for understanding the notion of privacy and allow to rigorously model and studyprivacy-related situations. More specifically, our objective is to develop a static methodfor ensuring that a privacy policy is satisfied by an information system using the π-calculus as the underlying theory.

To achieve this objective, we develop a meta-theory for the π-calculus that capturesprivacy as policy. Following the model of [19], we create a policy language that enablesus to describe privacy requirements for private data over data entities. For each type ofprivate data we expect entities to follow different policy requirements. Thus, we define

policies as objects that describe a hierarchical nesting of entities where each node/entityof the hierarchy is associated with a set of privacy permissions. The choice of permis-sions encapsulated within a policy language is an important issue because identificationof these permissions constitutes, in a sense, a characterization of the notion of privacy.In this work, we make a first attempt of identifying some such permissions, our choiceemanating from the more obvious privacy violations of Solove’s taxonomy which werefine by considering some common applications where privacy plays a central role.

As an example consider a medical system obligated to protect patient’s data. Insidethe system a nurse may access patient files to disseminate them to doctors. Doctors areable to process the data without any right to disseminate them. Overall, the data cannotbe disclosed outside the hospital. We formalize this policy as follows:

t� Hospital : {nondisclose}[ Nurse : {access,disclose Hospital1},Doctor : {access, read,write}]

where t is the type of the patient’s data. The policy describes the existence of theHospital entity at the higher level of the hierarchy associated with the nondisclose per-mission signifying that patient data should not be disclosed outside the system. Withinthis structure, a nurse may access (but not read) a patient file and disseminate the fileonce (disclose Hospital1). Similarly a doctor may be given access to a patient file but isalso allowed to read and write data within the files (permissions access, read and write).

Moving on to the framework underlying our study, we employ the π-calculus withgroups [5]. This calculus extends the π-calculus with the notion of groups and an as-sociated type system in a way that controls how data is being disseminated inside asystem. It turns out that groups give a natural abstraction for the representation of en-tities in a system. Thus, we build on the notion of a group of the calculus of [5], andwe use the group memberships of processes to distinguish their roles within systems.Information processing issues can be analysed through the use of names of the calculusin input, output and object position to identify when a channel is reading or writingprivate data or when links to private data are being communicated between groups.

An implementation of the hospital scenario in the π-calculus with groups would be

(ν Hospital)((ν Nurse)(a〈l〉.0) | (ν Doctor)(a(x).x(y).x〈d〉.0))

In this system, (νHospital) creates a new group that is known to the two processes of thesubsequent parallel composition while (Nurse) and (Doctor) are groups nested withinthe Hospital group and available to processes a〈l〉.0 and a(x).x(y).x〈d〉.0, respectively.The group memberships of the two processes characterize their nature while reflectingthe entity hierarchy expressed in the privacy policy defined above.

The types of the names in the above process are defined as y : t,d : t, that is yand d are values of sensitive data, while l : Hospital[t] signifies that l is a channel thatcan be used only by processes which belong to group Hospital to carry data of type t.Similarly, a :Hospital[Hospital[t]] states that a is a channel that can be used by membersof group Hospital, to carry objects of type Hospital[t]. Intuitively, we may see that thissystem conforms to the defined policy, both in terms of the group structure as well asthe permissions exercised by the processes. Instead, if the nurse were able to engage ina l〈d〉 action then the defined policy would be violated as it would be the case if the

2

type of a was defined as a : Other[Hospital[t]] for some distinct group Other. Thus, theencompassing group is essential for capturing requirements of non-disclosure.

Using these building blocks, our methodology is applied as follows: Given a sys-tem and a typing we perform type checking to confirm that the system is well-typedwhile we infer a permission interface. This interface captures the permissions exercisedby the system. To check that the system complies with a privacy policy we provide acorrespondence between policies and permission interfaces the intention being that: apermission interface satisfies a policy if and only if the system exercises a subset of theallowed permissions of the policy. With this machinery at hand, we state and prove asafety theorem according to which, if a system Sys type-checks against a typing Γ andproduces an interface Θ , and Θ satisfies a privacy policy P , then Sys respects P .

2 The Calculus

Our study of privacy is based on the π-calculus with groups proposed by Cardelli etal. [5]. This calculus is an extension of the π-calculus with the notion of a group andan operation of group creation where a group is a type for channels. In [5] the authorsestablish a close connection between group creation and secrecy as they show that asecret belonging to a certain group cannot be communicated outside the initial scope ofthe group. This is related to the fact that groups can never be communicated betweenprocesses. Our calculus is based on the π-calculus with groups with some modifications.

We assume the existence of two basic entities: G , ranged over by G,G1, . . . is theset of groups and N , ranged over by a,b,x,y, . . ., is the set of names. Furthermore,we assume a set of basic types D, ranged over by ti, which refer to the basic data ofour calculus on which privacy requirements should be enforced. Specifically, we assigneach name in N a type such that a name may either be of some base type t or of typeG[T ], where G is the group of the name and T the type of value that can be carried onthe name. Given the above, a type is constructed via the following BNF.

T ::= t | G[T ]

Then the syntax of the calculus is defined at two levels. At the process level, P,we have the standard π-calculus syntax. At the system level, S, we include the groupconstruct, applied both at the level of processes (ν G)P, and at the level of systems,(ν G)S, the name restriction construct as well as parallel composition for systems.

P ::= x(y:T ).P | x〈z〉.P | (ν a:T )P | P1 | P2 | !P | 0S ::= (ν G)P | (ν G)S | (ν a:T )S | S1 | S2 | 0

In (ν a:T )P and (ν a:T )S, name a is bound in P and S, respectively, and in processx(y:T ).P, name y is bound in P. In (ν G)P and (ν G)S, the group G is bound in P andS. We write fn(P) and fn(S) for the sets of names free in a process P and a system S,and fg(S) and fg(T ), for the free groups in a system S and a type T , respectively. Notethat free occurrences of groups occur within the types T of a process/system.

We now turn to defining a labelled transition semantics for the calculus. We define alabelled transition semantics instead of a reduction semantics due to a characteristic of

3

the intended structural congruence in our calculus. In particular, the definition of sucha congruence would omit the axiom (ν G)(S1 | S2) ≡ (ν G)S1 | S2 if G 6∈ fg(S2) as itwas used in [5]. This is due to our intended semantics of the group concept which isconsidered to assign capabilities to processes. Thus, nesting of a process P within somegroup G, as in (ν G)P, cannot be lost even if G 6∈ fg(P), since the (ν G) constructhas the additional meaning of group membership in our calculus and it instills P withprivacy-related permissions as we will discuss in the sequel. The absence of this lawrenders a reduction semantics rule of parallel composition rather complex.

To define a labelled transition semantics we first define a set of labels:

` ::= τ | x(y) | x〈y〉 | (ν y)x〈y〉

Label τ is the internal action whereas labels x(y) and x〈y〉 are the input and outputactions, respectively. Label (ν y)x〈y〉 is the restricted output where the object y of theaction is restricted. Functions fn(`) and bn(`) return the set of the free and bound namesof `, respectively. We also define the relation dual(`,`′) which relates dual actions as

dual(`,`′) if and only if {`,`′}= {x(y),x〈y〉} or {`,`′}= {x(y),(ν y)x〈y〉}.

We use the meta-notation (F ::= P | S) to define the labelled transition semantics.

x(y : T ).Px(z)−→ P{z/y} (In) x〈z〉.P x〈z〉−→ P (Out)

F1`−→ F ′1 bn(`)∩fn(F2) = /0

F1 | F2`−→ F ′1 | F2

(ParL)F2

`−→ F ′2 bn(`)∩fn(F1) = /0

F1 | F2`−→ F1 | F ′2

(ParR)

F `−→ F ′ x /∈ fn(`)

(ν x : T )F `−→ (ν x : T )F ′(ResN)

Fx〈y〉−→ F ′

(ν y : T )F(ν y)x〈y〉−→ F ′

(Scope)

F `−→ F ′

(ν G)F `−→ (ν G)F ′(ResG)

F ≡α F ′′ F ′′ `−→ F ′

F `−→ F ′(Alpha)

P `−→ P′

!P `−→ P′ | !P(Repl)

F1`1−→ F ′1 F2

`2−→ F ′2 dual(`1, `2)

F1 | F2τ−→ (ν bn(`1)∪bn(`2))(F ′1 | F ′2)

(Com)

Fig. 1. The labelled transition system

The labelled transition semantics follows along the lines of standard π-calculus se-mantics where≡α denotes α-equivalence and the rule for the group-creation construct,(ResG), captures that transitions are closed under group restriction.

3 Policies and Types

In this section we define a policy language and the appropriate type machinery to en-force policies over processes.

4

3.1 Policies

Typically, privacy policy languages express positive and negative norms that are ex-pected to hold in a system. These norms distinguish what may happen, in the case ofa positive norm, and what may not happen, in the case of a negative norm on data at-tributes which are types of sensitive data within a system, and, in particular, how thevarious agents, who are referred to by their roles, may/may not handle this data.

The notions of an attribute and a role are reflected in our framework via the notionsof base types and groups, respectively. Thus, our policy language is defined in such away as to specify the allowed and disallowed permissions associated with the variousgroups for each base type (sensitive data). This is achieved via the following entities:

(Linearities) λ ::= 1 | 2 | . . . | ∗(Permissions) P ::= read | write | access | disclose Gλ | nondisclose

(Hierarchies) H ::= ε | G : p[H j] j∈J

(Policies) P ::= t� H | P;P

Specifically, we define the set of policy permissions P: they express that data maybe read (read) and written (write), that links to data may be accessed (access) or dis-closed within some group G up to λ times (disclose Gλ ). Notation λ is either a naturalnumber or equal to ∗ which denotes an infinite number. While the above are positivepermissions, permission nondisclose is a negative permission and, when associated witha group and a base type, expresses that the base type cannot be disclosed to any partic-ipant who is not a member of the group.

In turn, a policy has the form t1 � H1; . . . ; tn � Hn assigning a structure Hi toeach type of sensitive data ti. The components Hi, which we refer to as permissionhierarchies, specify the group-permission associations for each base type. A permissionhierarchy H has the form G: p [H1, . . . ,Hm], and expresses that an entity belonging togroup G has rights p to the data in question and if additionally it is a member of somegroup Gi where Hi = Gi: pi [. . .], then it also has the rights pi, and so on.

We define the auxiliary functions groups(H) and perms(H) so as to gather the setsof groups and the set of permissions, respectively, inside a hierarchy structure:

groups(H) =

{{G}∪ (

⋃j∈J groups(H j)) if H = G : p[H j] j∈J

/0 if H = ε

perms(H) =

{p∪ (

⋃j∈J perms(H j)) if H = G : p[H j] j∈J

/0 if H = ε

We say that a policy P = t1� H1; . . . ; tn� Hn is well formed, written P : �, if itsatisfies the following:

1. The ti are distinct.2. If H = G : p[H j] j∈J occurs within some Hi then G 6∈ groups(H j) for all j ∈ J, that

is, the group hierarchy is acyclic.3. If H = G : p[H j] j∈J occurs within some Hi, nondisclose ∈ p and disclose G′λ ∈

perms(H j) for some j ∈ J, then G′ ∈ groups(H). In words, no non-disclosure re-quirement imposed at some level of a hierarchy is in conflict with a disclosurerequirement granted in its sub-hierarchy.

5

Hereafter, we assume that policies are well-formed policies. As a shorthand, we writeG : p for G : p[ε] and we abbreviate G for G : /0.

As an example, consider a hospital containing the departments of surgery (Surgery),cardiology (Cardiology), and psychotherapy (Psychotherapy), where cardiologists ofgroup Cardio belong to the cardiology department, surgeons of group Surgeon be-long to the surgery department, psychiatrists of group Psy belong to the psychother-apy department, and CarSurgeon refers to doctors who may have a joint appointmentwith the surgery and cardiology departments. Further, let us assume the existence ofdata of type MedFile which (1) should not be disclosed to any participant outside theHospital group, (2) may be read, written, accessed and disclosed freely within boththe surgery and the cardiology departments and (3) may be read, written and accessedbut not disclosed outside the psychotherapy department. We capture these requirementsvia policy P =MedFile�H where pcd = {read,access,write,disclose Cardiology∗},psd ={read,access,write,disclose Surgery∗}, ppd={nondisclose, read,access,write},

H = Hospital:{nondisclose} [Cardiology:pcd [Cardio,CarSurgeon],

Surgery:psd [Surgeon,CarSurgeon],

Psychotherapy:ppd [Psy]]

At this point we note that, as illustrated in the above policy, hierarchies need not betree-structured: group CarSurgeon may be reached via both the Hospital,Cardiologypath as well as the Hospital,Surgery path. In effect this allows to define a process(ν Hospital)(ν Cardiology)(ν SD)(ν CarSurgeon)P belonging to four groups and in-heriting the permissions of each one of them.

3.2 The Type System

We proceed to define a typing system for the calculus.

Typing Judgements. The environment on which type checking is carried out consistsof the component Γ . During type checking we infer the two additional structures of∆ -environments and Θ -interfaces as follows

Γ ::= /0 | Γ · x : T | Γ ·G∆ ::= /0 | t : p ·∆Θ ::= t� Hθ ;Θ | t� Hθ

with Hθ ::= G[Hθ ] | G[p]. Note that Hθ captures a special type of hierarchies wherethe nesting of groups is linear. We refer to Hθ as interface hierarchies. The domain ofenvironment Γ , dom(Γ ), contains all groups and names recorded in Γ . Environment∆ assigns permissions to sensitive data types t. When associated with a base type t,permissions read and write express that it is possible to read/write data of type t alongchannels of type G[t] for any group G. Permission access, when associated with a typet, expresses that it is possible to receive a channel of type G[t] for any G and, finally, ifpermission disclose Gλ is associated with t then it is possible to send channels of typeG[t] for up to λ times. Thus, while permissions read and write are related to manipu-lating sensitive data, permissions access and disclose are related to manipulating links

6

to sensitive data. Finally, interface Θ associates a sensitive type with a linear hierarchyof groups and a set of permissions, namely, an entity of the form G1[G2[. . .Gn[p] . . .]].

We define three typing judgements: Γ ` x.T , Γ ` P.∆ and Γ ` S.Θ . JudgementΓ ` x . T says that under typing environment Γ , name x has type T . Judgement Γ `P .∆ stipulates that process P is well typed under the environment Γ and produces apermission environment ∆ . In this judgement, Γ records the types of the names of Pand ∆ records the permissions exercised by the names in P for each base type. Finally,judgement Γ ` S .Θ defines that system S is well typed under the environment Γ andproduces interface Θ which records the group memberships of all components of S aswell as the permissions exercised by each component.

Typing System. We now move on to our typing system. We begin with some usefulnotation. We write:

∆ rT =

t : read if T = tt : access if T = G[t]/0 otherwise

∆ wT =

t : write if T = tt : disclose G1 if T = G[t]/0 otherwise

Furthermore, we define the ] operator over permissions:

p1] p2 = {p | p ∈ p1∪ p2∧ p 6= disclose Gλ ∧ p 6= nondisclose}∪ {disclose G(λ1 +λ2) | disclose Gλ1 ∈ p1∧disclose Gλ2 ∈ p2}∪ {disclose Gλ | disclose Gλ ∈ p1∧disclose Gλ

′ /∈ p2}∪ {disclose Gλ | disclose Gλ

′ /∈ p1∧disclose Gλ ∈ p2}

Operator ] adds two permission sets by taking the union of the non nondisclosepermissions modulo adding the linearities of the disclose Gλ permissions. We ex-tend the ] operator for ∆ -environments: assuming t : /0 ∈ ∆ if t : p 6∈ ∆ , we define∆1]∆2 = {t : p1] p2 | t : p1 ∈ ∆1, t : p2 ∈ ∆2}.

Finally, we define the ⊕ operator as:

G⊕ (t1 : p1, . . . , tm : pm) = t1� G[p1], . . . , tm� G[pm]

G⊕ (t1� Hθ1 , . . . , tm� Hθ

m) = (t1� G[Hθ1 ], . . . , tm� G[Hθ

m])

Operator ⊕ when applied to a group G and an interface ∆ attaches G to all permissionsets of ∆ , thus yielding a Θ interface, whereas, when applied to a group G and aninterface Θ , it attaches group G to all interface hierarchies of Θ .

The typing system is defined in Fig. 2. Rule (Name) is used to type names: in nametyping we require that all group names of the type are present in Γ . Process 0 can betyped under any typing environment (axiom (Nil)) to infer the empty ∆ -interface.

Rule (In) types the input-prefixed process. If environment Γ extended with the typeof y produces ∆ as an interface of P, we conclude that the process x(y).P produces aninterface where the type of T is extended with the permissions ∆ r

T , where (i) if T is basetype t then ∆ is extended by t : read since the process is reading an object of type t, (ii)if T = T ′[t] then ∆ is extended by t : access, since the process has obtained access to alink for base type t and (iii) ∆ remains unaffected otherwise.

7

(Name)fg(T )⊆ Γ

Γ · x : T ` x.T(Nil) Γ ` 0. /0

(In)Γ · y : T ` P.∆ Γ ` x.G[T ]

Γ ` x(y : T ).P.∆ ]∆rT

(Out)Γ ` P.∆ Γ ` x.G[T ] Γ ` y.T

Γ ` x〈y〉.P.∆ ]∆wT

(ParP)Γ ` P1 .∆1 Γ ` P2 .∆2

Γ ` P1 | P2 .∆1]∆2(ParS)

Γ ` S1 .Θ1 Γ ` S2 .Θ2

Γ ` S1 | S2 .Θ1 ·Θ2

(ResNP)Γ · x : T ` P.∆

Γ ` (ν x : T )P.∆(ResNS)

Γ · x : T ` S.Θ

Γ ` (ν x : T )S.Θ

(ResGP)Γ ·G ` P.∆

Γ ` (ν G)P.G⊕∆(ResGS)

Γ ·G ` S.Θ

Γ ` (ν G)S.G⊕Θ

(Rep)Γ ` P.∆

Γ `!P.∆!

Fig. 2. The Typing System

Rule (Out) is similar: If y is of type T , x of type G[T ] and ∆ is the permissioninterface for P, then, x〈y〉.P produces an interface which extends ∆ with permissions∆ w

T . These permissions are (i) {t : write} if T = t since the process is writing data oftype t, (ii) {disclose G1} if T = G[t], since the process is disclosing once a link toprivate data via a channel of group G, and (iii) the empty set of permissions otherwise.

Rule (ParP) uses the ] operator to compose the process interfaces of P1 and P2.Parallel composition of systems, rule (ParS), concatenates the system interfaces of S1and S2. For name restriction, (ResNP) specifies that if P type checks within an environ-ment Γ · x : T , then (νx)P type checks in environment Γ . (ResNS) is defined similarly.Moving on to group creation, for rule (ResGP) we have that, if P produces a typing ∆ ,then system (ν G)P produces the Θ -interface G⊕∆whereas for rule (ResGS), we havethat if S produces a typing interface Θ then process (ν G)S produces interface G⊕Θ

Thus, enclosing a system within an (ν G) operator results in adding G to the groupmemberships of each of the components.

Finally, for replication, axiom (Rep) states that if P produces an interface ∆ then !Pproduces an interface ∆ !, where ∆ ! is such that if a type is disclosed λ > 1 in ∆ then itis disclosed for an unlimited number of times in ∆ !. That is, ∆ ! = {t : p! | t : p ∈ ∆},where p! = {p ∈ p | p 6= disclose Gλ}∪{disclose G ∗ | disclose Gλ ∈ ∆}. Note thatthe type system never assigns the nondisclose permissions, thus interfaces are neverinferred on the nondisclose permission. This is the reason the nondisclose permission isignored in the definition of the ] operator.

As an example consider S = (ν G1)(ν G2)P where P =!get(loc : Tl).put〈loc〉.0.Further, suppose the existence of a base type Loc and types Tl = G1[Loc], Tr = G2[Tl ]and Ts = G1[Tl ]. Let us write Γ = get : Tr ·put : Ts · loc : Tl . Then we have:

Γ ` 0. /0 by (Nil)Γ ` put〈loc〉.0.{Loc : {disclose G1 1} by (Out)

8

Γ ` get(loc : Tl).put〈loc〉.0.{Loc : {disclose G1 1,access} by (In)Γ ` !get(loc : Tl).put〈loc〉.0.{Loc : {disclose G1 ∗,access} by (Rep)Γ ` (ν G2)P.Loc� G2 : [{disclose G1 ∗,access}] by (ResNP)Γ ` S.Loc� G1 : [G2 : [{disclose G1 ∗,access}]] by (ResNS)

4 Soundness and Safety

In this section we establish soundness and safety results for our framework. Missingproofs of results can be found in the appendix. First, we establish that typing is pre-served under substitution.

Lemma 1 (Substitution). If Γ · x : T ` P.∆ then Γ · y : T ` P{y/x}.∆ .

The next definition defines an operator that captures the changes on the interfaceenvironment when a process executes an action.

Definition 1 (Θ1 �Θ2).

1. p1 � p2 if (i) for all p ∈ p1 and p 6= disclose Gλ implies p ∈ p2, and (ii) for alldisclose Gλ ∈ p1 implies disclose λ ′G ∈ p2 and λ ′ ≥ λ or λ ′ = ∗.

2. ∆1 � ∆2 if ∀t, t : p1 ∈ ∆1 implies that t : p2 ∈ ∆2 and p1 � p2.3. (i) G[p1]� G[p2] if p1 � p2, and (ii) G[H1]� G[H2] if H1 � H2.4. Θ1 � Θ2 if (i) dom(Θ1) = dom(Θ2), and (ii) for all t, t� H1 ∈ Θ1 implies that

t� H2 ∈Θ2 and H1 � H2.

Specifically, when a process executes an action we expect a name to maintain or loseits interface capabilities that are expressed through the typing of the name.

We are now ready to define the notion of satisfaction of a policy P by a permissioninterface Θ thus connecting our type system with policy compliance.

Definition 2.

– Consider a policy hierarchy H = G : p[H j] j∈J and an interface hierarchy Hθ . Wesay that Hθ satisfies H, written H Hθ , if:

groups(Hθ ) = G∪⋃

j∈J groups(Hθj ) ∀ j ∈ J,H j Hθ

jperms(Hθ )� (] j∈Jperms(Hθ

j ))] p

G : p[H j] j∈J Hθ

– Consider a policy P and an interface Θ . Θ satisfies P , written P Θ , if:

H Hθ

t� H;P t� Hθ

H Hθ P Θ

t� H;P t� Hθ ;Θ

According to the definition of H Hθ , an interface hierarchy Hθ satisfies a policyhierarchy H, if its groups can be decomposed into a partition {G}∪

⋃j∈J G j, such that

there exist interface hierarchies Hθj referring to groups G j, each satisfying hierarchy H j

and where the union of the assigned permissions Hθj with permissions p is a superset

9

of the permissions of Hθ , that is, perms(Hθ )� (] j∈Jperms(Hθj ))] p. Similarly, a Θ -

interface satisfies a policy, P Θ , if for each component t� Hθ of Θ , there exists acomponent t� H of P such that Hθ satisfies H. A direct corollary of the definition isthe preservation of the � operator over the satisfiability relation:

Corollary 1. If P Θ1 and Θ2 �Θ1 then P Θ2.

The next definition formalises when a system satisfies a policy:

Definition 3 (Policy Satisfaction). Let P : �. We say that S satisfies P , written P ` S,if Γ ` S.Θ for some Γ and Θ such that P Θ .

We may now state our result on type preservation by action execution of processes.

Theorem 1 (Type Preservation).

1. Let Γ ` P.∆ and P `−→ P′ then Γ ` P′ .∆ ′ and ∆ ′ � ∆ .2. Let Γ ` S.Θ and S `−→ S′ then Γ ` S′ .Θ ′ and Θ ′ �Θ .

Corollary 2. Let P ` S and S `−→ S′ then P ` S′.

Let countLnk(P,Γ ,G[t]) count the number of output prefixes of the form x〈y〉 inprocess P where x : G[t] for some base type t. (This can be defined inductively on thestructure of P.) Moreover, given a policy hierarchy H and a set of groups G, let uswrite HG for the interface hierarchy such that (i) groups(HG) = G, (ii) H HG and,(iii) for all Hθ such that groups(Hθ ) = G and H Hθ , then perms(Hθ )� perms(HG).Intuitively, HG captures an interface hierarchy with the maximum possible permissionsfor groups G as determined by H. We may now define the notion of the error processwhich clarifies the satisfiability relation between the policies and processes.

Definition 4 (Error Process). Consider a policy P , an environment Γ and a system

S≡ (ν G1)(ν x1 : T1)((ν G2)(ν x2 : T2)(. . .((ν Gn)(ν xn : Tn)P | Q | Sn) . . .) | S1)

System S is an error process with respect to P and Γ , if there exists t such that P =t� H;P ′ and at least one of the following holds, where G = 〈G1, . . . ,Gn〉:

1. read /∈ perms(HG) and ∃x such that Γ ` x.G[t] and P = x(y).P′.2. write /∈ perms(HG) and ∃x such that Γ ` x.G[t] and P = x〈y〉.P′.3. access /∈ perms(HG) and ∃x such that Γ ` x.G[t] and P = y(x).P′.4. disclose G′λ /∈ perms(HG) and ∃x,y such that Γ ` x .G[t], Γ ` y .G′[G[t]] and

P = y〈x〉.P′.5. disclose Gλ ∈ perms(HG), λ 6= ∗ and countLnk(P,Γ ,G[t])> λ

6. there exists a sub-hierarchy of H, H ′ = Gk : p[Hi]i∈I ,1≤ k ≤ n with nondisclose ∈p and ∃,x,y such that Γ ` x . G[t], Γ ` y . G′[G[t]] and P = y〈x〉.P′ with G′ /∈groups(H ′).

10

The first two error processes expect that a process with no read or write permissionson a certain level of the hierarchy should not have, respectively, a prefix receiving orsending an object typed with the private data. Similarly an error process with no accesspermission on a certain level of the hierarchy should not have an input-prefixed subjectwith object a link to private data. An output-prefixed process that send links through achannel of sort G′ is an error process if it is found in a specific group hierarchy withno disclose G′λ permission. In the fifth clause, a process is an error if the number ofoutput prefixes to links in its definition (counted with the countLnk(P,Γ , t) function)are more than the λ in the disclose Gλ permission of the process’s hierarchy. Finally, ifa policy specifies that no data should be disclosed outside some group G, then a processshould not be able to send private data links to groups that are not contained within thehierarchy of G.

As expected, if a process is an error with respect to a policy P and an environmentΓ its Θ -interface does not satisfy P:

Lemma 2. Let system S be an error process with respect to well formed policy P andsort Γ . If Γ ` S.Θ then P 6 Θ .

By Corollary 2 and Lemma 2 we conclude with our safety theorem which verifiesthat the satisfiability of a policy by a typed process is preserved by the semantics.

Theorem 2 (Safety). If Γ ` S .Θ , P Θ and S `−→∗

S′ then S′ is not an error withrespect to policy P .

5 Example

Electronic Traffic Pricing (ETP) is an electronic toll collection scheme in which the feeto be paid by drivers depends on the road usage of their vehicles where factors suchas the type of roads used and the times of the usage determine the toll. To achievethis, for each vehicle detailed time and location information must be collected and pro-cessed and the due amount can be calculated with the help of a digital tariff and a roadmap. A number of possible implementation schemes may be considered for this sys-tem [8]. In the centralized approach, all location information is communicated to thepricing authority which computes the fee to be paid based on the received information.In the decentralized approach the fee is computed locally on the car via the use of athird trusted entity such as a smart card. In the following subsections we consider theseapproaches and their associated privacy characteristics.

5.1 The centralized approach

This approach makes use of on-board equipment (OBE) which computes regularly thegeographical position of the car and forwards it to the Pricing Authority (PA). To avoiddrivers tampering with their OBE and communicating false information, the authoritiesmay perform checks on the spot to confirm that the OBE is reliable.

We may model this system with the aid of five groups: ETP corresponds to theentirety of the ETP system, Car refers to the car and is divided into the OBE and the

11

GPS subgroups, and PA refers to the pricing authority. As far as types are concerned,we assume the existence of two base types: Loc referring to the attribute of locationsand Fee referring to the attribute of fees. We write Tl = ETP[Loc], Tr = Car[Tl ], Tpa =ETP[Tl ], Tx = ETP[Tl ] and Tsc = ETP[Tx].

O = !read(loc : Tl).topa〈loc〉.0| !spotcheck(s : Tx).read(ls : Tl).s〈ls〉.0

L = !(ν newl : Tl)read〈newl〉.0A = !topa(z : Tl).z(l : Loc).0

| !send〈fee〉.0| !(ν x : Tx)spotcheck〈x〉.x(y : Tl).y(ls : Loc).0

System = (ν ETP)(ν spotcheck : Tsc)(ν topa : Tpa)

[ (ν PA)A | (ν Car)((ν read : Tr)((ν OBE)O | (ν GPS)L)) ]

In the above model we have the component of the OBE, O, belonging to groupOBE, and the component responsible for computing the current location, L, belongingto group GPS. These two components are nested within the Car group and share theprivate name read on which it is possible for L to pass to O a name via which thecurrent location may be read. The OBE O may spontaneously read on name read orit may enquire the current location for the purposes of a spot check. Such a check isinitiated by the pricing authority A who may engage in three different activities: Firstly,it may receive a name z from the OBE via channel topa and then use z for readingthe car location (action z(l)). Secondly, it may periodically compute the fee to be paidand communicate the link (fee : ETP[Fee]) via name send : ETP[ETP[Fee]]. Thirdly, itmay initiate a spot check, during which it creates and sends the OBE a new channel viawhich the OBE is expected to return the current location for a verification check.

By applying the rules of our type system we may show that Γ ` System.Θ , whereΓ = {fee : ETP[Fee],send : ETP[ETP[Fee]]} and where

Θ = Fee� ETP[PA[{disclose ETP∗}]]; Loc� ETP[PA[{access, read}]];Loc� ETP[Car[OBE[{access,disclose ETP∗}]]]; Loc� ETP[Car[GPS[{disclose Car∗}]]]

A possible privacy policy for the system might be one that states that locations may befreely forwarded by the OBE. We may define this by P = Loc� H where

H = ETP : nondisclose [Car : [OBE : {access,disclose ETP∗},GPS : {disclose Car∗}],

PA : {access, read}]

We have that P Loc � ETP[PA[{access, read}]], since the per-missions assigned to groups ETP and PA by the policy are equal to{access, read} � {access, read} = perms(ETP[PA[{access, read}]]). Simi-larly, P Loc � ETP[Car[OBE[{access,disclose ETP∗}]]] and P Loc �ETP[Car[GPS[{disclose Car∗}]]]. Thus, we conclude that System satisfies P .

This architecture is simple but also very weak in protecting the privacy of individu-als: the fact that the PA gets detailed travel information about every vehicle constitutesa privacy and security threat. An alternative implementation that limits the transmissionof locations is presented in the second implementation proposal presented below.

12

5.2 The decentralized approach

To avoid the disclosure of the complete travel logs of a system this solution employsa third trusted entity (e.g. smart card) to make computations of the fee locally on thecar and send its value to the authority which in turn may make spot checks to obtainevidence on the correctness of the calculation.

The policy here would require that locations can be communicated for at most asmall fixed amount of times and that the OBE may read the fee computed by the smartcard but not change its value. Precisely, the new privacy policy might be:

Loc�ETP : nondisclose [ Fee�ETP : nondisclose [Car : [ Car : [

OBE : {access,disclose ETP2}, OBE : {},GPS : {disclose Car∗}, GPS : {},SC : {access, read}], SC : {write,disclose ETP∗}],

PA : {access, read}] PA : {access, read}]

The new system as described above may be modelled as follows, where we have anew group SC and a new component S, a smart card, belonging to this group:

S = !read(loc : Tl).loc(l : Loc).(ν newval : Fee)fee〈newval〉.send〈fee〉.0O = spotcheck(s1 : Tx).read(ls1 : Tl).s1〈ls1〉.spotcheck(s2 : Tx).read(ls2 : Tl).s2〈ls2〉.0L = !(ν newl : Tl)read〈newl〉.0A = !(ν x : Tx)spotcheck〈x〉.x(y : Tl).y(ls : Loc).0

| send(fee).fee(v : Fee).0System = (ν ETP)(ν spotcheck : Tsc)(ν topa : Tpa)

[ (ν PA)A | (ν Car)((ν read : Tr)((ν OBE)O | (ν GPS)L) | (ν SC)S) ]

We may verify that Γ ` System.Θ , where Γ = {fee :ETP[Fee],send :ETP[ETP[Fee]]}and interface Θ satisfies the enunciated policy.

6 Related work

There exists a large body of literature concerned with formally reasoning about privacy.To begin with, a number of languages have been proposed to express privacy poli-cies [16, 15] and can be used to verify the consistency of policies or to check whether asystem complies with a certain policy via static techniques such as model checking [15,13], on-the-fly using monitoring, or through audit procedures [7, 2].

Related to the privacy properties we are considering in this paper is the notion ofContextual Integrity [2]. Aspects of this notion have been formalized in a logical frame-work and were used for specifying privacy regulations while notions of compliance ofpolicies by systems were considered. Also related to our work is [17] where a family ofmodels named P-RBAC (Privacy-aware Role Based Access Control) is presented thatextends the traditional role-based access control to support specification of complexprivacy policies. In particular, the variation thereby introduced called Hierarchical P-RBAC introduces, amongst others, the notion of role hierarchies which is reminiscent

13

of our policy hierarchies. However, the methodology proposed is mostly geared towardsexpressing policies and checking for conflicts within policies as opposed to assessingthe satisfaction of policies by systems, which is the goal of our work.

Also related to our work is the research line on typed-based security in processcalculi. Among these works, numerous studies have focused on access control whichis closely related to privacy. For instance the work on the Dπ calculus has introducedsophisticated type systems for controlling the access to distributed resources [11, 12].Furthermore, discretionary access control has been considered in [4] which similarly toour work employs the π-calculus with groups, while role-based access control (RBAC)has been considered in [3, 9, 6]. In addition, authorization policies and their analysisvia type checking has been considered in a number of papers including [10, 1]. Whileadopting a similar approach, our work departs from these works in the following re-spects: To begin with we note that role-based access control is insufficient for reasoningabout certain privacy violations. While in RBAC it is possible to express that a doctormay read patient’s data and send emails, it is not possible to detect the privacy violationbreach executed when the doctor sends an email with the sensitive patient data. In ourframework, we may control such information dissemination by distinguishing betweendifferent types of data and how these can be manipulated. Furthermore, a novelty of ourapproach is the concept of hierarchies within policies which allow to arrange the sys-tem into a hierarchical arrangement of disclosure zones while allowing the inheritanceof permissions between groups within the hierarchy.

To conclude, we mention our previous work of [14]. In that work we employed theπ-calculus with groups accompanied by a type system based on i/o and linear types forcapturing privacy-related notions. In the present work, the type system is reconstructedand simplified using the notions of groups to distinguish between different entities andintroducing permissions inference during type checking. Most importantly, a contribu-tion of this work in comparison to [14] is that we introduce a policy language and provea safety criterion that establishes policy satisfaction by typing.

7 Conclusions

In this paper we have presented a formal framework based on the π-calculus with groupsfor studying privacy. Our framework is accompanied by a type system for capturingprivacy-related notions and a privacy language for expressing privacy policies. We haveproved a type preservation theorem and a safety theorem which establishes sufficientconditions for a system to satisfy a policy.

The policy language we have proposed is a simple language that constructs a hi-erarchical structure of the entities composing a system and assigning permissions foraccessing sensitive data to each of the entities while allowing to reason about somesimple privacy violations. These permissions are certainly not intended to capture everypossible privacy issue, but rather to demonstrate a method of how one might formalizeprivacy rights. Identifying an appropriate and complete set of permissions for provid-ing foundations for the notion of privacy in the general context should be the result ofintensive and probably interdisciplinary research that justifies each choice. To this ef-

14

fect, Solove’s taxonomy of privacy violations forms a promising context in which theseefforts can be based and it provides various directions for future work.

Other possible directions for future work can be inspired by privacy approachessuch as contextual integrity and P-RBAC. We are currently extending our work to rea-son about more complex privacy policies that include conditional permissions and theconcepts of purpose and obligation as in P-RBAC. Finally, it would be interesting toexplore more dynamic settings where the roles evolve over time.

References1. M. Backes, C. Hritcu, and M. Maffei. Type-checking zero-knowledge. In Proceedings of

CCS’08, pages 357–370, 2008.2. A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity:

Framework and applications. In Proceedings of S&P’06, pages 184–198, 2006.3. C. Braghin, D. Gorla, and V. Sassone. Role-based access control for a distributed calculus.

Journal of Computer Security, 14(2):113–155, 2006.4. M. Bugliesi, D. Colazzo, S. Crafa, and D. Macedonio. A type system for discretionary access

control. Mathematical Structures in Computer Science, 19(4):839–875, 2009.5. L. Cardelli, G. Ghelli, and A. D. Gordon. Secrecy and group creation. Information and

Computation, 196(2):127–155, 2005.6. A. B. Compagnoni, E. L. Gunter, and P. Bidinger. Role-based access control for boxed

ambients. Theoretical Computer Science, 398(1-3):203–216, 2008.7. A. Datta, J. Blocki, N. Christin, H. DeYoung, D. Garg, L. Jia, D. K. Kaynar, and A. Sinha.

Understanding and protecting privacy: Formal semantics and principled audit mechanisms.In Proceedings of ICISS’11, pages 1–27, 2011.

8. W. de Jonge and B. Jacobs. Privacy-friendly electronic traffic pricing via commits. In Pro-ceedings of FAST’08, LNCS 5491, pages 143–161. Springer, 2009.

9. M. Dezani-Ciancaglini, S. Ghilezan, S. Jaksic, and J. Pantovic. Types for role-based ac-cess control of dynamic web data. In Proceedings of WFLP’10, LNCS 6559, pages 1–29.Springer, 2010.

10. C. Fournet, A. Gordon, and S. Maffeis. A type discipline for authorization in distributedsystems. In Proceedings of CSF’07, pages 31–48, 2007.

11. M. Hennessy, J. Rathke, and N. Yoshida. safedpi: a language for controlling mobile code.Acta Informatica, 42(4-5):227–290, 2005.

12. M. Hennessy and J. Riely. Resource access control in systems of mobile agents. Informationand Computation, 173(1):82–120, 2002.

13. M. Koleini, E. Ritter, and M. Ryan. Model checking agent knowledge in dynamic accesscontrol policies. In TACAS’13, LNCS 7795, pages 448–462. Springer, 2013.

14. D. Kouzapas and A. Philippou. A typing system for privacy. In Proceedings of SEFMWorkshops 2013, LNCS 8368, pages 56–68. Springer, 2014.

15. Y. Liu, S. Muller, and K. Xu. A static compliance-checking framework for business processmodels. IBM Systems Journal, 46(2):335–362, 2007.

16. M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze andverify legal privacy policies. In Proceedings of CSFW-06, pages 85–97, 2006.

17. Q. Ni, E. Bertino, J. Lobo, C. Brodie, C. Karat, J. Karat, and A. Trombetta. Privacy-awarerole-based access control. ACM Trans. on Information and System Security, 13(3), 2010.

18. D. J. Solove. A Taxonomy of Privacy. University of Pennsylvania Law Review, 154(3):477–560, 2006.

19. M. C. Tschantz and J. M. Wing. Formal methods for privacy. In Proceedings of FM’09,LNCS 5850, pages 1–15. Springer, 2009.

15